卒業生 大崎君の研究「Overcoming eBPF Constraints: Towards Practical ML/NN-based Anomaly Detection」が情報処理学会論文誌に採択されました．学部4年次の成果です．

概要:

Machine learning (ML) and neural networks (NN) in extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP) are being explored for network anomaly detection to balance accuracy and throughput. However, eBPF’s constraints, such as the instruction count limitation and the absence of floating-point support, make the implementation of such algorithms challenging. While previous works use workarounds, they lack cost analysis of the workarounds and performance comparisons with the user space approach. This paper investigates the practicality of overcoming these constraints in the context of ML/NN-based anomaly detection through evaluations of the cost and the impact of workarounds. We show that while instruction count is not a major concern, arithmetic errors in static fixed-point calculations negatively affect feature extraction and detection accuracy. However, we also show that dynamic fixed-point can match the detection accuracy in kernel space with that in user space. Furthermore, we demonstrate that the performance gap between eBPF/XDP and faster kernel-bypass technologies narrows to just 7% in ML/NN-based anomaly detection contexts. We conclude that ML/NN-based anomaly detection in eBPF/XDP is not only feasible but beneficial for real-world deployments compared to alternatives.